SPRING CRM with custom LOGIN PAGE and REGISTRATION FORM(custom user details) with SPRING SECURITY and JDBC AUTHENTICATION and AUTHORIZATION using BCRYPT algorithm
In this project I used Spring Security for JDBC authentication and authorization with custom login page. I applied authorization for appropriate user roles (EMPLOYEE, MANAGER or ADMIN).
I also made registration form, so we can register a new user and save it to the database.Every new user which we registered have EMPLOYEE role by default.In database we have already stored some users with role MANAGER and ADMIN, these users have also role EMPLOYEE.
This registration form have validation rules, because in this example we used Hibernate Validator.We made our custom validation rules, ie. custom java annoations.On the next picture we can see how registration form looks like, but first we will break this validations to see all error messages.
Username field, can't have null value and must have min 1 char.I also checked the case if we enterd the username which already exists in the database, to show as an error message:"User name already exists".
Password field, can't have null value and must have min 1 char.
Confirm Password field, can't have null value and must have min 1 char also. For these two fields, I made my custom validation rule and my custom annotation, because these two fields must match.If they don't match we will get an error message:"The password fields must match".
First name field, can't have null value and must have min 1 char.
Last name field, can't have null value and must have min 1 char.
Email field, can't have null value and must have min 1 char.Here I also made my custom validation rule and my custom annotation, for this field I used regular expressions for email.
When we enter a valid data in registration form, and when we press button register, then we saved all that user information into the database.In this case we made one database with following tables:user, role and user_role.
In this project as we can see I used bcrypt algorithm for password encryption, this is one-way encrypted hashing, so the password in the database can never be decrypted. To protect against CSRF attacks I used additional authentication data/token into all HTML forms.On this way we can prevent evil website to tricks us into executing an action on a web application that you are currently logged in.For each request we have randomly generated token and Spring Security verifies token before processing.
On the next picture we can see relationships between the tables.We made N:M-MANY TO MANY relationship between the tables user and role, because one user can have many roles and one role can have many users.To achieve this I made one more table, link table called user_role.
When we are logged in our app with appropriate username and password, we have security authorization, so the user with role EMPLOYEE can only see this page with all information about user, such is:username, role, first name, last name and email.
The user with role MANAGER have access some additional page Leadership Meeting.
When we enter on that page we can see some additional information.
The user with role ADMIN also have access some additional page IT Systems Meeting.
When we enter on that page we can see some following additional information.
I also added logout button, because we want to logout the user from the system, on that way we also removing http session, cookies, etc…
If some other user which is not authorized trys to access some additional information and pages, he will get access denied page with message.
